Staples | Privacy Officer? Think HIPAA

Privacy Officer? Think HIPAA

You may have heard a lot lately about privacy officers for companies, but do you really need to create such a position in your company? Perhaps yes, perhaps no.

That probably isn’t the answer you were hoping for. Whether you need one or not really depends on the industry you are in, the number of employees you have, the types of services you provide customers, and legal concerns your company may have concerning privacy issues.

Most privacy officers tend to concentrate on the consumer side of business, dealing with how to handle customer information and Web site privacy, but many also have HR functions:

  • Managing personnel functions, such as monitoring employees’ e–mails, Internet use, and voice mail.

  • Overseeing information that has been gathered about employees that needs to be kept confidential, such as the data collected for benefits administration, ADA or EEOC requirements, and even skill–inventory activities.

  • Monitoring employees to make sure they are doing their work correctly, especially when they are dealing with customers.

"Whether you have a full–time privacy officer or not, there needs to be a point of contact when it comes to privacy," says Thomas Bonitz, senior vice–president of privacy and IS security at Mutual of Omaha in Omaha, Neb., "because the laws are becoming very complex. In addition, the person who is in charge of privacy issues can facilitate the dissemination of the laws and compliance issues that are at stake to the rest of the organization."

HIPAA’s new regs

But, says Bonitz, you may not need to have a full–time privacy officer for your organization. However, you will probably need to have someone in HR who can be designated as the "privacy contact" for your company because of the newest regulations of the Health Insurance Portability and Accountability Act (HIPAA).

"Because of these new regulations," says Bonitz, "Health and Human Services is now requiring that your company designate one person to be your contract person for the agency to contact if they need information regarding your privacy matters."

HIPAA privacy rules, which took effect on April 14, 2001, cover health plans, healthcare clearinghouses, and those healthcare providers who conduct certain financial and administrative transactions, such as electronic billing and electronic fund transfers. Self–administered employee health benefit plans and plans with fewer than 50 participants are excluded.

The rules are comprehensive and give patients new rights to understand and control how their health information is being used. (You can check out these new HIPAA privacy regulations by clicking on the Web site for the U.S. Department of Health and Human Services at

Bonitz says that these latest regulations are so comprehensive that a great deal of his time is being taken up with just finding ways to comply with them. "Typically, a company like ours has about 100 people in HR, and they may have four or five of those employees who deal specifically with the group health plan," he notes.

"This information must now be segmented from the information they typically use in the rest of the HR process. Now, you actually have to build these firewalls between that information and the rest of the organization." He explains that the reason for these firewalls is because there have been concerns about employers using employee health information to make employment decisions.

Finding a privacy officer

As Bonitz notes, you may not need a full–time person to handle privacy issues, but in this day and age, you need to have someone who oversees these subjects. If you don’t need a full–time privacy officer, especially for just covering HR issues, you will want to designate an HR staff person as the resident expert.

If, however, you are looking for an overall privacy officer, Bonitz suggests that you take a look at your industry before deciding where to find one. "Probably half of chief privacy officers are lawyers, but others come from corporate affairs, from HR, or from IT. It takes someone who is analytical who can understand the laws and the process that your company needs to address."

Some experts, such as Dr. Alan Westin, professor emeritus at Columbia University and president of Privacy & American Business, suggests that sometimes it may be best to bring in someone from the outside so that employees don’t worry that the person is too aligned with the senior management of the company. However, that may not be a good idea for large companies or businesses that are in a field that is highly regulated, says Bonitz. They should probably find someone on the inside, because their privacy officer needs to have intimate knowledge of the laws governing their business.

Article by Nancy Hatch Woodward, Contributing Editor, Best Practices in Compensation & Benefits
This article is provided by Visit BenefitsNext for plain–English compliance information, work–saving forms and checklists, daily news, and free weekly E–Zine. Copyright 2002, BLR Inc.

301 Moved Permanently

301 Moved Permanently

Deals! Get them now

Join us on: